New Rules for Identification and Authentication
Revision 5 contains a specific family of 12 controls addressing identification and authentication that ensure identities and credentials are issued, managed, verified, revoked and audited for authorized devices, users and processes. The controls further mandate identity proofing and binding them to credentials based on the context of interactions.
Moreover, users, devices and other assets must be authenticated commensurate with individuals’ security and privacy risks, as well as organizational risks.
The specification for authenticator management is prominent in Revision 5, likely due to recent cyber incidents and data breaches caused by authenticator issues.
Case in point: The Pentagon issued a notice in February that a third-party service provider had exposed numerous emails containing sensitive information, including exchanges pertaining to U.S. Special Operations Command. The disclosure .
DISCOVER: Kerberoasting cyberattacks rose 583 percent in 2023.
The messages were accessible via an unsecured federal cloud email server connected to the internet without a password due to a misconfiguration. Security researcher Anurag Sen found the server and shared the details with news outlet TechCrunch, which alerted the government.
Dissecting Authenticators
Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices and ID badges — including Common Access Cards and Personal Identity Verification cards. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator — the initial password, for example.
Revision 5 updates for authenticator management address the threats of spoofing and repudiation. Spoofing is impersonating another user or system component to obtain access to the system, while repudiation refers to the plausible deniability of actions taken under a given user or process.
Information systems must be able to enforce minimum password complexity for organization-defined requirements: case sensitivity; number of characters; and a mix of uppercase and lowercase letters, numbers and special characters. An agency’s information system must also enforce an organization-defined number of changed characters, when new passwords are created.
RELATED: Create password-free authentication in four steps.
For password-based authentication, agencies must verify that passwords are not found on the list of commonly used, expected or compromised passwords. The new controls in Revision 5 also direct organizations to help users generate strong passwords with the assistance of automated tools.
NIST encourages a customizable approach to managing accounts and authenticators. Agencies are free to select their own password managers to accomplish these tasks, and they can also choose the frequency with which passwords and authenticators are updated.
As with any government program, suppliers are a critical part of the implementation process, and that’s where FedRAMP-authorized partners are important.
FedRAMP-authorized suppliers are the safest bet to set and update control requirements efficiently and verifiably. With new zero-trust security protocols, the intricacies of the NIST controls, and the evolving threat and tech landscapes, suppliers must show they’re capable of providing not only tools but also timesaving support.
EXPLORE: CISA’s greenfield solution is a model for modernization in the zero-trust era.
Privileged Access Management and the Dark Web
Privileged access management helps IT administrators and security personnel manage and secure privileged credentials and enforce the principle of least privilege. PAM can protect organizations against attacks by making it easy for IT to set and enforce Revision 5-compliant password requirements, including:
- storing passwords using an approved, salted key-derivation function — preferably using a keyed hash
- immediately selecting a new password upon account recovery
- selecting long passwords and passphrases, including spaces and all printable characters
- automating tools to assist the user in selecting strong password authenticators
- composition and complexity rules
Breached account credentials, including billions of compromised passwords, often end up on the dark web. If credentials are found to be compromised, a dark-web monitoring service enables agencies to stay abreast of account information and take immediate action. In fact, 72 percent of companies already monitor the dark web for stolen employee credentials to prevent them from falling into the hands of bad actors, according to a Keeper Security report.
Solutions that have a zero-knowledge security architecture should be able to scan and monitor the dark web for stolen passwords and other compromised credentials.
MORE FROM FEDTECH: This House inquiry shined a light on spear-phishing.
Federal defenses have coalesced against increasingly sophisticated and persistent threat campaigns, including those on the dark web.
The Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model, the White House’s executive order on cybersecurity and federal zero-trust strategy, and the Department of Defense’s Zero Trust Strategy and Roadmap all advance the security strategy while setting deadlines for agencies to establish their own architectures.
As a result of this quadruple push, we are seeing incredible new implementations of zero-knowledge security models for use on the dark web. This includes one where a dedicated password manager is helping to address issues head-on by offering the highest level of encryption and features like dark web scans and alerting.
Given the degree of connectivity among public and private sector information systems, security concerns dominate business dealings and inform government dialog. Bad actors working for themselves or foreign adversaries are highly capable, requiring agencies to deploy advanced cyber solutions to fend off attacks.
RESEARCH: Agencies employ tools by the dozens to boost network visibility.
Revision 5 addresses the urgency of cyber resilience and the need to ensure all of the products, players, components and rules work together to support the mutual security of public and private sector organizations. Relying on these NIST safeguards means implementing the right controls to protect the privacy of individuals and the security of critical digital and physical assets that agencies depend on for their missions.
FedRAMP-authorized providers offer the highest levels of security and privacy to assist agencies with Revision 5 compliance.
Focusing on outcomes and integrating new, state-of-the-art controls to support cyber resilience and strengthen security will enable agencies and their partners to get the business of government done.
